A comprehensive set of procedures is implemented that tests all patches, upgrades, and new AIS applications prior to deployment.
MAC / CONF
MACI MACII MACIII
Security Design and Configuration
Most information systems throughout an organization are unique. Patches, upgrades, and new applications can behave quite differently when applied across disparate systems. It is paramount that steps be taken to maintain the stability of the production IS. Proper compliance testing provides a reasonable level of assurance that system changes will achieve expected results.
1. Each component shall implement a comprehensive set of test procedures that verify modifications to fielded systems will not be negatively impacted by the introduction of patches, upgrades, or modification. 2. Identify need for upgrade by monitoring appropriate channels such as vendor sites, mailing lists, third party sources, vulnerability scans or other means of detection. 3. Patches shall come from an approved trusted source and be tested and deployed in a timely manner. 4. Follow all prescribed installation procedures associated with the upgrade.
NIST SP 800-40, Procedures for Handling Security Patches. August 2002
DoDI 8500.2, Information Assurance (IA) Implementation, para E3.2.4, E22.214.171.124, 06 February 2003